1

Can the Discrete Logarithm ZK be implemented on elliptic curves? It seems that such an implementation should look like the following:

  1. $Y = \alpha G$
  2. Random pick $v$
  3. $t = vG$
  4. $c = H(G, y, t)$
  5. $r = v - cx$
  6. Check: $t = rG + cY$

If yes, can I use ed25519 for this purpose and how can I select $G$?

Patriot
  • 3,132
  • 3
  • 18
  • 65
Кирилл Волков
  • 151
  • 5

1 Answers1

1

Yes, this non-interactive zero-knowledge proof works perfectly fine (with a suitable hash function) for proving knowledge of a discrete logarithm over e.g. ed25519. The basis $G$ is part of the statement: the statement is of the form "I know $\alpha$ such that $Y = G^\alpha$. As such, it works for any generator $G$ of your choice (which, over ed25519, is any element of the prime order subgroup except $0$, since its a prime order cyclic group).

Geoffroy Couteau
  • 19,919
  • 2
  • 46
  • 68